IoT Security Bills for US Government Will Also Affect Business IT

On March 11, the Internet of Things (IoT) Cybersecurity Improvement Act of 2019 was introduced in the U.S. Senate in an effort to get control over the purchasing of insecure devices by the U.S. government. Until now, there have been no real security standards covering the purchasing of IoT devices, in large part because actual IoT security ranged between nonexistent and rare. The Act seeks to change this by imposing minimum required standards for any IoT device purchased by the U.S. government. Once the rules go into effect in 2020, the new requirements include making IoT devices patchable, certifying that they are free from known vulnerabilities and that the devices use standard protocols. The rules will also require that if vulnerabilities become known, that vendors must disclose them to the agency that bought or otherwise acquired the device, and the vendor must include the means of limiting or fixing the vulnerability. In addition, the Act requires a major change from one of the worst of the IoT practices, which is the use of hard-coded credentials. This means that it must be possible for users to install their own credentials, such as a user name and password.